Linux是一套免费使用和自由传播的类Unix操作系统,是一个基于POSIX和UNIX的多用户、多任务、支持多线程和多CPU的操作系统。它能运行主要的UNIX工具软件、应用程序和网络协议。它支持32位和64位硬件。Linux继承了Unix以网络为核心的设计思想,是一个性能稳定的多用户网络操作系统。它主要用于基于Intel x86系列CPU的计算机上。这个系统是由全世界各地的成千上万的程序员设计和实现的。其目的是建立不受任何商品化软件的版权制约的、全世界都能自由使用的Unix兼容产品。
最近项目需要在Linux环境下,本人的本是windows,怎么办么?
答:申请一台服务器,linux环境,用ssh工具就可以开发了
不过服务器上只能用vim开发,开发起来惨不忍睹,怎么办?
答:远程开发
远程开发的原理很简单,就是把服务器上的文件夹映射到windows上,就可以像windows本地开发一样了。
首先在Linux服务器上安装samba,装好后给自己配置一个samba用户,具体方法请自行百度,参考链接:http://blog.csdn.net/i_chips/article/details/19191957。
window端打开计算机,有一个映射网络驱动器选项
打开后有两个选项
第一个是盘符,默认就行,红框所选的地方 写上要映射的服务器文件夹地址。
填好之前在samba上配置的账号/密码,就可以用了。
One way to verify if "keytool" did export my certificate using DER and PEM formats correctly or not is to use "OpenSSL" to view those certificate files. To do this, I used the "openssl x509" command to view keytool_crt.der and keytool_crt.pem:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
>openssl x509 -in keytool_crt.pem -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1185636568 (0x46ab60d8) Signature Algorithm: dsaWithSHA1 Issuer: C=CA, ST=Herong State, L=Herong City, ... ... >openssl x509 -in keytool_crt.der -inform der -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1185636568 (0x46ab60d8) Signature Algorithm: dsaWithSHA1 Issuer: C=CA, ST=Herong State, L=Herong City, ... O=Herong Company, OU=Heron ... |
Let's Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,它的来头不小,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,目的就是向网站自动签发和管理免费证书,以便加速互联网由HTTP过渡到HTTPS,目前Facebook等大公司开始加入赞助行列。
Let's Encrypt已经得了 IdenTrust 的交叉签名,这意味着其证书现在已经可以被Mozilla、Google、Microsoft和Apple等主流的浏览器所信任,你只需要在Web 服务器证书链中配置交叉签名,浏览器客户端会自动处理好其它的一切,Let's Encrypt安装简单,未来大规模采用可能性非常大。
Let's Encrypt虽然还在测试当中,但是市场需求非常大,已经有非常多的朋友迫不及待地安装并用上了Let's Encrypt。Let's Encrypt向广大的网站提供免费SSL证书,不管是对于网站站长、互联网用户,还是对整个Web互联网,都是非常有利的,它有利于整个互联网的安全。
本篇文章就来为大家讲解一下如何获取Let's Encrypt免费SSL证书,并附上Apache的SSL证书配置方法。
一、 安装Let's Encrypt免费SSL准备
1.Let's Encrypt官网:
官方网站:https://letsencrypt.org/
项目主页:https://github.com/letsencrypt/letsencrypt
2.安装Let's Encrypt脚本依赖环境:(这一部分可以跳过,因为官方提供的Let's Encrypt脚本会自动检测并安装)
|
1 |
$ apt-get install git |
二、获取Let's Encrypt免费SSL证书
1.获取Let's Encrypt免费SSL证书很简单,你只需要执行以下命令,就会自动在你的VPS上生成SSL证书和私钥。
|
1 2 3 4 5 |
$ git clone https://github.com/letsencrypt/letsencrypt $ cd letsencrypt $ ./letsencrypt-auto |
如果只想生成证书,则最后一句使用如下命令(貌似我目前只能用下面的命令,用上面的命令会报错):
|
1 |
$ ./letsencrypt-auto certonly |
2.执行上述命令后,会弹出对话框,同意用户协议。
3.接着会提示让你关闭Nginx或者Apache。
4.Let's Encrypt需要用到80和443端口,所以你需要关闭那些占用这两个端口的应用。
5.当你看以下内容时,就表明你的Let's Encrypt免费SSL证书获取成功了。
|
1 2 3 4 5 6 7 8 9 |
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.mobibrw.com/fullchain.pem. Your cert will expire on 2016-04-25. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
注意: 目前阿里云的服务器域名解析不支持DNS Certification Authority Authorization (CAA) Resource Record,导致在进行签名的时候返回如下错误信息:
|
1 2 3 4 5 6 7 8 |
Failed authorization procedure. mobibrw.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for mobibrw.com IMPORTANT NOTES: - The following errors were reported by the server: Domain: mobibrw.com Type: urn:acme:error:connection Detail: DNS problem: query timed out looking up CAA for mobibrw.com |
目前还没有解决方法,具体的讨论参考 DNS query timeout #1610
目前根据提交给阿里云的工单,今天2016年1月26日已经正式支持了Let's Encrypt,目前验证,一切正常了。
三、证书续期
Let's Encrypt有多种方法来验证你是否是域名的所有人,而acme-tiny这个小工具用的是最简单的方法,也就是利用http文件验证。
简单来说,就是生成一个验证文件,放在http://www.mobibrw.com/.well-known/acme-challenge/下,Let's Encrypt官方验证这个文件是否存在、内容是否正确。如果一切正确,说明域名是你所有。因此我们下面的脚本中会出现创建,删除.well-known/acme-challenge/这个目录的动作。
1.生成证书自动化请求脚本
|
1 |
$ sudo vim /root/renew-ssl.sh |
里面内容如下:
|
1 2 3 4 5 6 7 8 9 |
#!/bin/bash mkdir -p /var/www/wordpress/.well-known/acme-challenge /root/letsencrypt/letsencrypt-auto --renew-by-default certonly --email wangqiang1588@sina.com -d www.mobibrw.com -d mobibrw.com --webroot -w /var/www/wordpress --agree-tos service apache2 reload rm -rf /var/www/wordpress/.well-known |
2.赋予脚本执行权限
|
1 |
$ sudo chmod +x /root/renew-ssl.sh |
3.脚本添加到计划任务,每隔60天执行一次
|
1 |
$ sudo crontab -e |
在文件的最后增加
|
1 |
0 3 */60 * * /root/renew-ssl.sh |
4.查看是否添加成功
|
1 |
$ sudo crontab -l |
5.重启cron服务
|
1 |
$ sudo service cron restart |
四、需要注意的问题
目前(2022/02/27)最新的1.23.0版本,在生成/更新证书的时候,会提示用户是否全站都迁移到HTTPS。如果不小心同意了这个选项,对于Apache服务器来说,会在配置文件中增加如下内容:
|
1 2 3 4 5 6 |
RewriteEngine on RewriteCond %{SERVER_NAME} =www.xxx.com [OR] RewriteCond %{SERVER_NAME} =xxx.com [OR] RewriteCond %{SERVER_NAME} =xxxxx.com [OR] RewriteCond %{SERVER_NAME} =www.xxxxx.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] |
这个配置会覆盖我们在网站目录下的HTTPS相关设置(.htaccess),如果我们配置网站某个目录下的文件可以不通过HTTPS进行访问,那么需要手工移除这些自动生成的配置信息,然后重启Apache服务。
查看So文件中的字符串信息(最常见是版本号)
|
1 |
$ strings libc.so | grep Version |
使用cp -r -f 强制覆盖拷贝命令时,每一个文件都需要认为的键入“Y”进行确认,甚是烦扰,难道要我点击一万下不成?
cp命令被设置了别名
alias cp='cp -i'
所以在每次执行cp命令是都会按照这个设置进行人为的确认(-i参数的含义)。
一.使用unalias cp命令 解除对cp的别名(仅本次终端连接会话临时取消),我们先输入alias命令,查看系统内部已经设置的别名:
|
1 2 3 4 5 6 7 8 9 10 11 |
[root@localhost ~]# alias alias cp='cp -i' alias egrep='egrep --color=auto' alias fgrep='fgrep --color=auto' alias grep='grep --color=auto' alias l='ls -CF' alias la='ls -A' alias ll='ls -alF' alias ls='ls --color=auto' alias mv='mv -i' alias rm='rm -i' |
输入unalias cp命令,取消cp命令的别名.
|
1 |
[root@localhost ~]# unalias cp |
二.直接输入\cp命令,作用也是取消cp的别名
|
1 2 |
[root@localhost ~]# \cp filename new/filename [root@localhost ~]# |
三.使用管道的方式,自动输入yes
|
1 |
[root@localhost ~]# yes | cp filename new/filename |
eventfd 在内核版本,2.6.22以后有效。查看内核版本可以用命令 uname -r 。
|
1 2 |
#include<sys/eventfd.h> int eventfd(unsigned int initval,int flags); |
uint64_t)。initval)初始化这个计数器。调用这个函数就会返回一个新的文件描述符(event object)。2.6.27版本开始可以按位设置第二个参数(flags)。EFD_NONBLOCK , 功能同open(2) 的O_NONBLOCK,设置对象为非阻塞状态,如果没有设置这个状态的话,read(2)读eventfd,并且计数器的值为0 就一直堵塞在read调用当中,要是设置了这个标志, 就会返回一个 EAGAIN 错误(errno = EAGAIN)。效果也如同 额外调用select(2)达到的效果。EFD_CLOEXEC 这个标识被设置的话,调用exec后子进程得不到这个句柄,而不影响fork产生的子进程,更多的是安全方面的考虑。EFD_SEMAPHORE,这个标识(since Linux 2.6.30)开始,但是在Android的NDK中是没有这个定义的,因此不建议在Android中使用。他的功能完全可以用默认参数替换,而且更高效,因为如果是信号量模式,每次调用,只会减少1,导致重复进入内核,性能实际上是有影响的。
如果是2.6.26或之前版本的内核,flags 必须设置为0。
创建这个对象后,可以对其做如下操作。
write 将缓冲区写入的8字节整形值加到内核计数器上。
read 读取8字节值, 并把计数器重设为0. 如果调用read的时候计数器为0, 要是eventfd是阻塞的, read就一直阻塞在这里,否则就得到 一个EAGAIN错误。
如果buffer的长度小于8那么read会失败, 错误代码被设置成 EINVAL。
poll select epoll
close 当不需要eventfd的时候可以调用close关闭, 当这个对象的所有句柄都被关闭的时候,内核会释放资源。 为什么不是close就直接释放呢, 如果调用fork 创建
进程的时候会复制这个句柄到新的进程,并继承所有的状态。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
#include <sys/eventfd.h> #include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <stdint.h> /* Definition of uint64_t */ #define handle_error(msg) \ do { perror(msg); exit(EXIT_FAILURE); } while (0) int main(int argc, char *argv[]) { uint64_t u; int efd = eventfd(10, 0); if (efd == -1) handle_error("eventfd"); int ret = fork(); if(ret == 0) { for (int j = 1; j < argc; j++) { printf("Child writing %s to efd\n", argv[j]); u = atoll(argv[j]); ssize_t s = write(efd, &u, sizeof(uint64_t)); if (s != sizeof(uint64_t)) handle_error("write"); } printf("Child completed write loop\n"); exit(EXIT_SUCCESS); } else { sleep(2); ssize_t s = read(efd, &u, sizeof(uint64_t)); if (s != sizeof(uint64_t)) handle_error("read"); printf("Parent read %llu from efd\n",(unsigned long long)u); exit(EXIT_SUCCESS); } } |
运行结果:
比较简单,不做过解释。子进程写入命令行中传入的参数,父进程读取其中计数器的值。
运行结果:
|
1 2 3 4 5 6 |
./eventfd 10 20 30 Child writing 10 to efd Child writing 20 to efd Child writing 30 to efd Child completed write loop Parent read 70 from efd |
命令行传入的是10、20、30其和应为60,为啥读取的是70呢?请看15行调用eventfd时第一个参数是10,这个参数是创建eventfd时初始化计数器的值。
参考链接:Linux中eventfd函数调用解析
|
1 2 |
$DIR='./' $find $DIR -type f -print0 | xargs -0 md5sum > ./md5.txt |
|
1 |
$ expect backup.sh |
hostback.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
#!/bin/sh LogFile=~/backup/backup-`date +%Y%m%d`.log #指定日志的名字 BakDir=~/backup #备份文件存放的路径 MD5File=~/backup/md5-`date +%Y%m%d`.txt Sha1File=~/backup/sha1-`date +%Y%m%d`.txt #create backup directory if [ -d $BakDir ] then cd $BakDir touch $LogFile else mkdir -p $BakDir cd $BakDir touch $LogFile fi #backup wordpress datadump=`which mysqldump` wordpressdb="wordpress" #wordpress数据库的名字 wordpresspath=/var/www #wordpress程序文件的位置 mysqluser="root" #数据库的用户名 userpass="password" #用户密码 backupwordpress_tar_gz=$wordpressdb.`date +%Y%m%d`.tar.gz backupwordpress_sql=$wordpressdb.`date +%Y%m%d`.sql if $datadump -u $mysqluser --password=$userpass -h localhost --opt $wordpressdb > $backupwordpress_sql 2>&1 then echo " backup $wordpressdb success" >> $LogFile else echo " backup $wordpressdb error" >> $LogFile exit 1 fi #检验文件尾部是否存在 “-- Dump completed on”,如果存在不存在,则说明备份出错了。 if [ 0 -eq "$(sed '/^$/!h;$!d;g' $backupwordpress_sql | grep -c "Dump completed on")" ]; then echo " backup $wordpressdb error" >> $LogFile exit 1 fi #使用h参数的目的在于把软连接指向的实际内容打包进入,而不是仅仅打包一个软连接 if tar czpfh $backupwordpress_tar_gz $wordpresspath $backupwordpress_sql >/dev/null 2>&1 then echo " backup wordpress success" >> $LogFile rm -f $wordpressdb.`date +%Y%m%d`.sql else echo " backup wordperss error" >> $LogFile exit 1 fi md5sum $backupwordpress_tar_gz >> $MD5File sha1sum $backupwordpress_tar_gz >> $Sha1File |
backup.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
#!/usr/bin/expect -f #开启内部动作调试输出,观察是否正确执行 1 代表打开调试,0代表关闭调试 exp_internal 0 set HostAddr "www.mobibrw.com" set HostPort 22 set UserName "user" set BackupShell "hostback.sh" set Password "password" set BakDir "backup" set timeout -1 #由于通过FTP传输的文件格式可能\n被替换为\r\n 的情况,因此需要执行一下 dos2unix 转化到 \n spawn dos2unix $BackupShell expect eof spawn ssh $HostAddr -p $HostPort -l $UserName rm -rf ~/$BackupShell expect -re ".*assword:" send "$Password\r" expect eof spawn scp $BackupShell $UserName@$HostAddr:~/$BackupShell expect -re ".*assword:" send "$Password\r" expect eof spawn ssh $HostAddr -p $HostPort -l $UserName chmod +x ~/$BackupShell expect -re ".*assword:" send "$Password\r" expect eof #解决在群晖NAS系统上TCP超时问题,增加心跳保持参数 #同时注意,远端语言有可能不是英文,因此需要增加LC_ALL=C强制切换到英文,否则后续匹配可能无法完成 spawn ssh $HostAddr -o TCPKeepAlive=yes -o ServerAliveInterval=30 -p $HostPort -l $UserName "LC_ALL=C sudo -E bash ~/$BackupShell" expect -re ".*assword:" send "$Password\r" expect eof spawn scp -r $UserName@$HostAddr:~/$BakDir ./ expect -re ".*assword:" send "$Password\r" expect eof #backup-20151227.log\nbash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.utf8) 这种情况要注意 proc getFilterFile { host port user bakdir password filter regx} { spawn ssh $host -p $port -l $user ls ~/$bakdir | grep $filter expect -re ".*assword:" send "$password\r" expect -re "$regx" expect eof return [string trimright $expect_out(0,string)] } cd ./$BakDir #校验MD5,SHA1 set MD5File [getFilterFile $HostAddr $HostPort $UserName $BakDir $Password "md5" "md5(.*).txt"] puts stdout $MD5File #修改语言环境,否则md5sum,sha1sum返回的结果中可能不会出现"OK",而是会出现“确定” #“失败” if {[info exists ::env(LANG)]==1} { set ORG_LANG "$env(LANG)" puts stdout "$env(LANG)" set env(LANG) "C" puts stdout "$env(LANG)" } if {[info exists ::env(LC_ALL)]==1} { set ORG_LC_ALL "$env(LC_ALL)" puts stdout "$env(LC_ALL)" set env(LC_ALL) "C" puts stdout "$env(LC_ALL)" } spawn md5sum -c $MD5File expect -re ".*OK" expect eof set Sha1File [getFilterFile $HostAddr $HostPort $UserName $BakDir $Password "sha1" "sha1(.*).txt"] puts stdout $Sha1File spawn sha1sum -c $Sha1File expect -re ".*OK" expect eof #还原语言设置 if {[info exists ::env(LANG)]==1} { puts stdout "$env(LANG)" set env(LANG) "$ORG_LANG" puts stdout "$env(LANG)" } if {[info exists ::env(LC_ALL)]==1} { puts stdout "$env(LC_ALL)" set env(LC_ALL) "$ORG_LC_ALL" puts stdout "$env(LC_ALL)" } #打印本次的备份日志出来 set LogFile [getFilterFile $HostAddr $HostPort $UserName $BakDir $Password "backup" "backup(.*).log"] puts stdout $LogFile set f [ open $LogFile r] while { [ gets $f line ] >= 0 } { puts stdout $line;} #删除远端的备份脚本 spawn ssh $HostAddr -p $HostPort -l $UserName sudo rm -rf ~/$BackupShell expect -re ".*assword:" send "$Password\r" expect eof #删除远端的备份目录 spawn ssh $HostAddr -p $HostPort -l $UserName sudo rm -rf ~/$BakDir expect -re ".*assword:" send "$Password\r" expect eof |
在安装Ubuntu 15.04的时候,由于机器使用的是SSD硬盘,因此在建立HOME分区的时候选择了使用Btrfs格式作为分区格式。一直都是使用正常,直到今天,在向HOME分区拷贝一个16GB的文件的时候提示 “拼接文件出错:设备上没有空间” (英文系统可能会提示 “No space left on device”)。
使用"df"命令查询分区,发现所有分区都是足够的。如下图所示,空间足够使用,尤其是HOME分区,足足有40GB的空间。
维基百科搜索“btrfs”,简介中标明,最大文件尺寸 16 EiB,显然,16GB的文件,是不会超过这个限制的。
同样是维基百科,btrfs条目,标明 最大文件数量 2^64,显然,120GB的一个硬盘,即使是全部是一个字节的小文件,也达不到这个数字的。
使用"df -i"命令查询Inode信息,发现好奇怪的现象,home所在的分区信息中Inode信息,不管是已经你使用的,还是可以使用的,还是总数,都是 0. 为什么呢?
后来才知道,btrfs格式是不能使用df命令的,btrfs有自己的单独的命令查询.
|
1 |
$btrfs fi df /home |
仔细观察一下输出结果,好奇怪,使用df 命令,我们查询到分区的大小在90GB左右,但是这里显示的文件的大小仅仅是43GB,而且已经使用了42.50GB,按照这个显示,自然是空间不足了,那么,我们的空间去了哪里?
这个问题的产生,本质上是btrfs设计导致的,原因归咎于btrfs所采用的COW技术,这项技术需要一个比较大的保留存储空间,但是当空间不足的时候,本应减少保留空间,而显然,默认情况下,没有正确处理这种情况。这个问题在3.18版本之后得到比较好的解决。
对于 btrfs 3.18之前的版本来说,执行如下命令即可.
|
1 |
$btrfs balance start -v -dusage=0 /home |
从3.18版本开始,这个命令是当空间不足出现的时候,默认执行的,很遗憾,15.04的btrfs版本号是3.17.
显示btfs文件系统信息
|
1 2 3 4 5 6 |
$sudo btrfs fi show Label: none uuid: 6fb44e01-f148-41c7-8448-17b58089f908 Total devices 1 FS bytes used 43.42GiB devid 1 size 88.00GiB used 46.06GiB path /dev/sdb7 Btrfs v3.17 |
btrfs磁盘文件检查(需要重启进入修复模式中执行)
|
1 |
sudo btrfs check --repair /dev/sda7 |
Btrfs Problem_FAQ
Ubuntu thinks btrfs disk is full but its not
由于国外网站经常打不开,因此内容直接复制到这里 原文链接
Btrfs is different from traditional filesystems. It is not just a layer that translates filenames into offsets on a block device, it is more of a layer that combines a traditional filesystem with LVM and RAID. And like LVM, it has the concept of allocating space on the underlying device, but not actually using it for files.
A traditional filesystem is divided into files and free space. It is easy to calculate how much space is used or free:
|
1 2 |
|--------files--------| | |------------------------drive partition-------------------------------| |
Btrfs combines LVM, RAID and a filesystem. The drive is divided into subvolumes, each dynamically sized and replicated:
|
1 2 3 |
|--files--| |--files--| |files| | | |----@raid1----|------@raid1-------|-----@home-----|metadata| | |------------------------drive partition-------------------------------| |
The diagram shows the partition being divided into two subvolumes and metadata. One of the subvolumes is duplicated (RAID1), so there are two copies of every file on the device. Now we not only have the concept of how much space is free at the filesystem layer, but also how much space is free at the block layer (drive partition) below it. Space is also taken up by metadata.
When considering free space in Btrfs, we have to clarify which free space we are talking about - the block layer, or the file layer? At the block layer, data is allocated in 1GB chunks, so the values are quite coarse, and might not bear any relation to the amount of space that the user can actually use. At the file layer, it is impossible to report the amount of free space because the amount of space depends on how it is used. In the above example, a file stored on the replicated subvolume @raid1 will take up twice as much space as the same file stored on the @homesubvolume. Snapshots only store copies of files that have been subsequently modified. There is no longer a 1-1 mapping between a file as the user sees it, and a file as stored on the drive.
You can check the free space at the block layer with btrfs filesystem show / and the free space at the subvolume layer with btrfs filesystem df /
|
1 2 3 |
# df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/sda4_crypt 38G 12G 13M 100% / |
For this mounted subvolume, df reports a drive of total size 38G, with 12G used, and 13M free. 100% of the available space has been used. Remember that the total size 38G is divided between different subvolumes and metadata - it is not exclusive to this subvolume.
|
1 2 3 4 5 6 |
# btrfs filesystem df / Data, single: total=9.47GiB, used=9.46GiB System, DUP: total=8.00MiB, used=16.00KiB System, single: total=4.00MiB, used=0.00 Metadata, DUP: total=13.88GiB, used=1.13GiB Metadata, single: total=8.00MiB, used=0.00 |
Each line shows the total space and the used space for a different data type and replication type. The values shown are data stored rather than raw bytes on the drive, so if you're using RAID-1 or RAID-10 subvolumes, the amount of raw storage used is double the values you can see here.
The first column shows the type of item being stored (Data, System, Metadata). The second column shows whether a single copy of each item is stored (single), or whether two copies of each item are stored (DUP). Two copies are used for sensitive data, so there is a backup if one copy is corrupted. For DUP lines, the used value has to be doubled to get the amount of space used on the actual drive (because btrfs fs df reports data stored, not drive space used). The third and fourth columns show the total and used space. There is no free column, since the amount of "free space" is dependent on how it is used.
The thing that stands out about this drive is that you have 9.47GiB of space allocated for ordinary files of which you have used 9.46GiB - this is why you are getting No space left on device errors. You have 13.88GiB of space allocated for duplicated metadata, of which you have used 1.13GiB. Since this metadata is DUP duplicated, it means that 27.76GiB of space has been allocated on the actual drive, of which you have used 2.26GiB. Hence 25.5GiB of the drive is not being used, but at the same time is not available for files to be stored in. This is the "Btrfs huge metadata allocated"problem. To try and correct this, run btrfs balance start -m /. The -m parameter tells btrfs to only re-balance metadata.
A similar problem is running out of metadata space. If the output had shown that the metadata were actually full (used value close to total), then the solution would be to try and free up almost empty (<5% used) data blocks using the command btrfs balance start -dusage=5 /. These free blocks could then be reused to store metadata.
For more details see the Btrfs FAQs: